Package eu.emi.security.authn.x509.helpers.pkipath.bc

Class RFC3280CertPathUtilitiesCanl

  • public class RFC3280CertPathUtilitiesCanl
extends java.lang.Object
    This class exposes the BC's JCA implementation of the RFC3280CertPathUtilities. It was done to: fix its bugs (only one or two, should be OK in BC 1.47) and to have errors consumable by the rest of this library (most of the code).
    Author:
    K. Benedyczak (modifications)

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      protected static void checkCRLs​(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, java.security.cert.X509Certificate cert, java.util.Date validDate, java.security.cert.X509Certificate sign, java.security.PublicKey workingPublicKey, java.util.List certPathCerts, org.bouncycastle.jcajce.util.JcaJceHelper helper)
      Checks a certificate if it is revoked.
      static void checkCRLs2​(ExtPKIXParameters2 paramsPKIX, java.security.cert.X509Certificate cert, java.util.Date validDate, java.security.cert.X509Certificate sign, java.security.PublicKey workingPublicKey, java.util.List<?> certPathCerts, org.bouncycastle.jcajce.util.JcaJceHelper jcaHelper)
      Checks a certificate if it is revoked.
      protected static void getCertStatus​(java.util.Date validDate, java.security.cert.X509CRL crl, java.lang.Object cert, eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus)  
      protected static PKIXPolicyNode prepareCertB​(java.security.cert.CertPath certPath, int index, java.util.List[] policyNodes, PKIXPolicyNode validPolicyTree, int policyMapping)  
      protected static void prepareNextCertA​(java.security.cert.CertPath certPath, int index)  
      protected static void prepareNextCertG​(java.security.cert.CertPath certPath, int index, org.bouncycastle.jce.provider.PKIXNameConstraintValidator nameConstraintValidator)  
      protected static int prepareNextCertH1​(java.security.cert.CertPath certPath, int index, int explicitPolicy)  
      protected static int prepareNextCertH2​(java.security.cert.CertPath certPath, int index, int policyMapping)  
      protected static int prepareNextCertH3​(java.security.cert.CertPath certPath, int index, int inhibitAnyPolicy)  
      protected static int prepareNextCertI1​(java.security.cert.CertPath certPath, int index, int explicitPolicy)  
      protected static int prepareNextCertI2​(java.security.cert.CertPath certPath, int index, int policyMapping)  
      protected static int prepareNextCertJ​(java.security.cert.CertPath certPath, int index, int inhibitAnyPolicy)  
      protected static void prepareNextCertK​(java.security.cert.CertPath certPath, int index)  
      protected static int prepareNextCertL​(java.security.cert.CertPath certPath, int index, int maxPathLength)  
      protected static int prepareNextCertM​(java.security.cert.CertPath certPath, int index, int maxPathLength)  
      protected static void prepareNextCertN​(java.security.cert.CertPath certPath, int index)  
      protected static void prepareNextCertO​(java.security.cert.CertPath certPath, int index, java.util.Set criticalExtensions, java.util.List pathCheckers)  
      protected static void processCertA​(java.security.cert.CertPath certPath, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, int index, java.security.PublicKey workingPublicKey, boolean verificationAlreadyPerformed, org.bouncycastle.asn1.x500.X500Name workingIssuerName, java.security.cert.X509Certificate sign, org.bouncycastle.jcajce.util.JcaJceHelper helper)  
      protected static void processCertBC​(java.security.cert.CertPath certPath, int index, org.bouncycastle.jce.provider.PKIXNameConstraintValidator nameConstraintValidator)  
      protected static PKIXPolicyNode processCertD​(java.security.cert.CertPath certPath, int index, java.util.Set acceptablePolicies, PKIXPolicyNode validPolicyTree, java.util.List[] policyNodes, int inhibitAnyPolicy)  
      protected static PKIXPolicyNode processCertE​(java.security.cert.CertPath certPath, int index, PKIXPolicyNode validPolicyTree)  
      protected static void processCertF​(java.security.cert.CertPath certPath, int index, PKIXPolicyNode validPolicyTree, int explicitPolicy)  
      protected static java.util.Set processCRLA1i​(java.util.Date currentDate, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, java.security.cert.X509Certificate cert, java.security.cert.X509CRL crl)  
      protected static java.util.Set[] processCRLA1ii​(java.util.Date currentDate, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, java.security.cert.X509Certificate cert, java.security.cert.X509CRL crl)  
      protected static void processCRLB1​(org.bouncycastle.asn1.x509.DistributionPoint dp, java.lang.Object cert, java.security.cert.X509CRL crl)
      If the DP includes cRLIssuer, then verify that the issuer field in the complete CRL matches cRLIssuer in the DP and that the complete CRL contains an issuing distribution point extension with the indirectCRL boolean asserted.
      protected static void processCRLB2​(org.bouncycastle.asn1.x509.DistributionPoint dp, java.lang.Object cert, java.security.cert.X509CRL crl)
      If the complete CRL includes an issuing distribution point (IDP) CRL extension check the following:
      protected static void processCRLC​(java.security.cert.X509CRL deltaCRL, java.security.cert.X509CRL completeCRL, org.bouncycastle.jcajce.PKIXExtendedParameters pkixParams)
      If use-deltas is set, verify the issuer and scope of the delta CRL.
      protected static eu.emi.security.authn.x509.helpers.pkipath.bc.ReasonsMask processCRLD​(java.security.cert.X509CRL crl, org.bouncycastle.asn1.x509.DistributionPoint dp)  
      protected static java.util.Set processCRLF​(java.security.cert.X509CRL crl, java.lang.Object cert, java.security.cert.X509Certificate defaultCRLSignCert, java.security.PublicKey defaultCRLSignKey, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, java.util.List certPathCerts, org.bouncycastle.jcajce.util.JcaJceHelper helper)
      Obtain and validate the certification path for the complete CRL issuer.
      protected static java.security.PublicKey processCRLG​(java.security.cert.X509CRL crl, java.util.Set keys)  
      protected static java.security.cert.X509CRL processCRLH​(java.util.Set deltacrls, java.security.PublicKey key)  
      protected static void processCRLI​(java.util.Date validDate, java.security.cert.X509CRL deltacrl, java.lang.Object cert, eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus, org.bouncycastle.jcajce.PKIXExtendedParameters pkixParams)  
      protected static void processCRLJ​(java.util.Date validDate, java.security.cert.X509CRL completecrl, java.lang.Object cert, eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus)  
      protected static int wrapupCertA​(int explicitPolicy, java.security.cert.X509Certificate cert)  
      protected static int wrapupCertB​(java.security.cert.CertPath certPath, int index, int explicitPolicy)  
      protected static void wrapupCertF​(java.security.cert.CertPath certPath, int index, java.util.List pathCheckers, java.util.Set criticalExtensions)  
      protected static PKIXPolicyNode wrapupCertG​(java.security.cert.CertPath certPath, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, java.util.Set userInitialPolicySet, int index, java.util.List[] policyNodes, PKIXPolicyNode validPolicyTree, java.util.Set acceptablePolicies)  

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • CERTIFICATE_POLICIES

        public static final java.lang.String CERTIFICATE_POLICIES

      • POLICY_MAPPINGS

        public static final java.lang.String POLICY_MAPPINGS

      • INHIBIT_ANY_POLICY

        public static final java.lang.String INHIBIT_ANY_POLICY

      • ISSUING_DISTRIBUTION_POINT

        public static final java.lang.String ISSUING_DISTRIBUTION_POINT

      • FRESHEST_CRL

        public static final java.lang.String FRESHEST_CRL

      • DELTA_CRL_INDICATOR

        public static final java.lang.String DELTA_CRL_INDICATOR

      • POLICY_CONSTRAINTS

        public static final java.lang.String POLICY_CONSTRAINTS

      • BASIC_CONSTRAINTS

        public static final java.lang.String BASIC_CONSTRAINTS

      • CRL_DISTRIBUTION_POINTS

        public static final java.lang.String CRL_DISTRIBUTION_POINTS

      • SUBJECT_ALTERNATIVE_NAME

        public static final java.lang.String SUBJECT_ALTERNATIVE_NAME

      • NAME_CONSTRAINTS

        public static final java.lang.String NAME_CONSTRAINTS

      • AUTHORITY_KEY_IDENTIFIER

        public static final java.lang.String AUTHORITY_KEY_IDENTIFIER

      • KEY_USAGE

        public static final java.lang.String KEY_USAGE

      • CRL_NUMBER

        public static final java.lang.String CRL_NUMBER

      • crlReasons

        protected static final java.lang.String[] crlReasons

    • Constructor Detail

      • RFC3280CertPathUtilitiesCanl

        public RFC3280CertPathUtilitiesCanl()

    • Method Detail

      • checkCRLs2

        public static void checkCRLs2​(ExtPKIXParameters2 paramsPKIX,
                              java.security.cert.X509Certificate cert,
                              java.util.Date validDate,
                              java.security.cert.X509Certificate sign,
                              java.security.PublicKey workingPublicKey,
                              java.util.List<?> certPathCerts,
                              org.bouncycastle.jcajce.util.JcaJceHelper jcaHelper)
                       throws SimpleValidationErrorException
        Checks a certificate if it is revoked.
        Parameters:
        paramsPKIX - PKIX parameters.
        cert - Certificate to check if it is revoked.
        validDate - The date when the certificate revocation status should be checked.
        sign - The issuer certificate of the certificate cert.
        workingPublicKey - The public key of the issuer certificate sign.
        certPathCerts - The certificates of the certification path.
        jcaHelper - JcaJce helper
        Throws:
        SimpleValidationErrorException - if the certificate is revoked or the status cannot be checked or some error occurs.

      • processCRLB2

        protected static void processCRLB2​(org.bouncycastle.asn1.x509.DistributionPoint dp,
                                   java.lang.Object cert,
                                   java.security.cert.X509CRL crl)
                            throws org.bouncycastle.jce.provider.AnnotatedException
        If the complete CRL includes an issuing distribution point (IDP) CRL extension check the following:

        (i) If the distribution point name is present in the IDP CRL extension and the distribution field is present in the DP, then verify that one of the names in the IDP matches one of the names in the DP. If the distribution point name is present in the IDP CRL extension and the distribution field is omitted from the DP, then verify that one of the names in the IDP matches one of the names in the cRLIssuer field of the DP.

        (ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL extension, verify that the certificate does not include the basic constraints extension with the cA boolean asserted.

        (iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL extension, verify that the certificate includes the basic constraints extension with the cA boolean asserted.

        (iv) Verify that the onlyContainsAttributeCerts boolean is not asserted.

        Parameters:
        dp - The distribution point.
        cert - The certificate.
        crl - The CRL.
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - if one of the conditions is not met or an error occurs.

      • processCRLB1

        protected static void processCRLB1​(org.bouncycastle.asn1.x509.DistributionPoint dp,
                                   java.lang.Object cert,
                                   java.security.cert.X509CRL crl)
                            throws org.bouncycastle.jce.provider.AnnotatedException
        If the DP includes cRLIssuer, then verify that the issuer field in the complete CRL matches cRLIssuer in the DP and that the complete CRL contains an issuing distribution point extension with the indirectCRL boolean asserted. Otherwise, verify that the CRL issuer matches the certificate issuer.
        Parameters:
        dp - The distribution point.
        cert - The certificate ot attribute certificate.
        crl - The CRL for cert.
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - if one of the above conditions does not apply or an error occurs.

      • processCRLD

        protected static eu.emi.security.authn.x509.helpers.pkipath.bc.ReasonsMask processCRLD​(java.security.cert.X509CRL crl,
                                                                                       org.bouncycastle.asn1.x509.DistributionPoint dp)
                                                                                throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException

      • processCRLF

        protected static java.util.Set processCRLF​(java.security.cert.X509CRL crl,
                                           java.lang.Object cert,
                                           java.security.cert.X509Certificate defaultCRLSignCert,
                                           java.security.PublicKey defaultCRLSignKey,
                                           org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX,
                                           java.util.List certPathCerts,
                                           org.bouncycastle.jcajce.util.JcaJceHelper helper)
                                    throws org.bouncycastle.jce.provider.AnnotatedException
        Obtain and validate the certification path for the complete CRL issuer. If a key usage extension is present in the CRL issuer's certificate, verify that the cRLSign bit is set.
        Parameters:
        crl - CRL which contains revocation information for the certificate cert.
        cert - The attribute certificate or certificate to check if it is revoked.
        defaultCRLSignCert - The issuer certificate of the certificate cert.
        defaultCRLSignKey - The public key of the issuer certificate defaultCRLSignCert.
        paramsPKIX - paramsPKIX PKIX parameters.
        certPathCerts - The certificates on the certification path.
        helper - JcaJce helper
        Returns:
        A Set with all keys of possible CRL issuer certificates.
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - if the CRL is not valid or the status cannot be checked or some error occurs.

      • processCRLG

        protected static java.security.PublicKey processCRLG​(java.security.cert.X509CRL crl,
                                                     java.util.Set keys)
                                              throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException

      • processCRLH

        protected static java.security.cert.X509CRL processCRLH​(java.util.Set deltacrls,
                                                        java.security.PublicKey key)
                                                 throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException

      • processCRLA1i

        protected static java.util.Set processCRLA1i​(java.util.Date currentDate,
                                             org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX,
                                             java.security.cert.X509Certificate cert,
                                             java.security.cert.X509CRL crl)
                                      throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException

      • processCRLA1ii

        protected static java.util.Set[] processCRLA1ii​(java.util.Date currentDate,
                                                org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX,
                                                java.security.cert.X509Certificate cert,
                                                java.security.cert.X509CRL crl)
                                         throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException

      • processCRLC

        protected static void processCRLC​(java.security.cert.X509CRL deltaCRL,
                                  java.security.cert.X509CRL completeCRL,
                                  org.bouncycastle.jcajce.PKIXExtendedParameters pkixParams)
                           throws org.bouncycastle.jce.provider.AnnotatedException
        If use-deltas is set, verify the issuer and scope of the delta CRL.
        Parameters:
        deltaCRL - The delta CRL.
        completeCRL - The complete CRL.
        pkixParams - The PKIX paramaters.
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - if an exception occurs.

      • processCRLI

        protected static void processCRLI​(java.util.Date validDate,
                                  java.security.cert.X509CRL deltacrl,
                                  java.lang.Object cert,
                                  eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus,
                                  org.bouncycastle.jcajce.PKIXExtendedParameters pkixParams)
                           throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException

      • processCRLJ

        protected static void processCRLJ​(java.util.Date validDate,
                                  java.security.cert.X509CRL completecrl,
                                  java.lang.Object cert,
                                  eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus)
                           throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException

      • prepareCertB

        protected static PKIXPolicyNode prepareCertB​(java.security.cert.CertPath certPath,
                                             int index,
                                             java.util.List[] policyNodes,
                                             PKIXPolicyNode validPolicyTree,
                                             int policyMapping)
                                      throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • prepareNextCertA

        protected static void prepareNextCertA​(java.security.cert.CertPath certPath,
                                       int index)
                                throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • processCertF

        protected static void processCertF​(java.security.cert.CertPath certPath,
                                   int index,
                                   PKIXPolicyNode validPolicyTree,
                                   int explicitPolicy)
                            throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • processCertE

        protected static PKIXPolicyNode processCertE​(java.security.cert.CertPath certPath,
                                             int index,
                                             PKIXPolicyNode validPolicyTree)
                                      throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • processCertBC

        protected static void processCertBC​(java.security.cert.CertPath certPath,
                                    int index,
                                    org.bouncycastle.jce.provider.PKIXNameConstraintValidator nameConstraintValidator)
                             throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • processCertD

        protected static PKIXPolicyNode processCertD​(java.security.cert.CertPath certPath,
                                             int index,
                                             java.util.Set acceptablePolicies,
                                             PKIXPolicyNode validPolicyTree,
                                             java.util.List[] policyNodes,
                                             int inhibitAnyPolicy)
                                      throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • processCertA

        protected static void processCertA​(java.security.cert.CertPath certPath,
                                   org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX,
                                   int index,
                                   java.security.PublicKey workingPublicKey,
                                   boolean verificationAlreadyPerformed,
                                   org.bouncycastle.asn1.x500.X500Name workingIssuerName,
                                   java.security.cert.X509Certificate sign,
                                   org.bouncycastle.jcajce.util.JcaJceHelper helper)
                            throws org.bouncycastle.jce.exception.ExtCertPathValidatorException
        Throws:
        org.bouncycastle.jce.exception.ExtCertPathValidatorException

      • prepareNextCertI1

        protected static int prepareNextCertI1​(java.security.cert.CertPath certPath,
                                       int index,
                                       int explicitPolicy)
                                throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • prepareNextCertI2

        protected static int prepareNextCertI2​(java.security.cert.CertPath certPath,
                                       int index,
                                       int policyMapping)
                                throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • prepareNextCertG

        protected static void prepareNextCertG​(java.security.cert.CertPath certPath,
                                       int index,
                                       org.bouncycastle.jce.provider.PKIXNameConstraintValidator nameConstraintValidator)
                                throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • checkCRLs

        protected static void checkCRLs​(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX,
                                java.security.cert.X509Certificate cert,
                                java.util.Date validDate,
                                java.security.cert.X509Certificate sign,
                                java.security.PublicKey workingPublicKey,
                                java.util.List certPathCerts,
                                org.bouncycastle.jcajce.util.JcaJceHelper helper)
                         throws org.bouncycastle.jce.provider.AnnotatedException
        Checks a certificate if it is revoked.
        Parameters:
        paramsPKIX - PKIX parameters.
        cert - Certificate to check if it is revoked.
        validDate - The date when the certificate revocation status should be checked.
        sign - The issuer certificate of the certificate cert.
        workingPublicKey - The public key of the issuer certificate sign.
        certPathCerts - The certificates of the certification path.
        helper - JcaJce Helper
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - if the certificate is revoked or the status cannot be checked or some error occurs.

      • prepareNextCertJ

        protected static int prepareNextCertJ​(java.security.cert.CertPath certPath,
                                      int index,
                                      int inhibitAnyPolicy)
                               throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • prepareNextCertK

        protected static void prepareNextCertK​(java.security.cert.CertPath certPath,
                                       int index)
                                throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • prepareNextCertL

        protected static int prepareNextCertL​(java.security.cert.CertPath certPath,
                                      int index,
                                      int maxPathLength)
                               throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • prepareNextCertM

        protected static int prepareNextCertM​(java.security.cert.CertPath certPath,
                                      int index,
                                      int maxPathLength)
                               throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • prepareNextCertN

        protected static void prepareNextCertN​(java.security.cert.CertPath certPath,
                                       int index)
                                throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • prepareNextCertO

        protected static void prepareNextCertO​(java.security.cert.CertPath certPath,
                                       int index,
                                       java.util.Set criticalExtensions,
                                       java.util.List pathCheckers)
                                throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • prepareNextCertH1

        protected static int prepareNextCertH1​(java.security.cert.CertPath certPath,
                                       int index,
                                       int explicitPolicy)

      • prepareNextCertH2

        protected static int prepareNextCertH2​(java.security.cert.CertPath certPath,
                                       int index,
                                       int policyMapping)

      • prepareNextCertH3

        protected static int prepareNextCertH3​(java.security.cert.CertPath certPath,
                                       int index,
                                       int inhibitAnyPolicy)

      • wrapupCertA

        protected static int wrapupCertA​(int explicitPolicy,
                                 java.security.cert.X509Certificate cert)

      • wrapupCertB

        protected static int wrapupCertB​(java.security.cert.CertPath certPath,
                                 int index,
                                 int explicitPolicy)
                          throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • wrapupCertF

        protected static void wrapupCertF​(java.security.cert.CertPath certPath,
                                  int index,
                                  java.util.List pathCheckers,
                                  java.util.Set criticalExtensions)
                           throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • wrapupCertG

        protected static PKIXPolicyNode wrapupCertG​(java.security.cert.CertPath certPath,
                                            org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX,
                                            java.util.Set userInitialPolicySet,
                                            int index,
                                            java.util.List[] policyNodes,
                                            PKIXPolicyNode validPolicyTree,
                                            java.util.Set acceptablePolicies)
                                     throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException